[
https://issues.apache.org/jira/browse/CXF-8414?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Will Croteau updated CXF-8414:
------------------------------
Labels: OIDC (was: )
> OAuth 2.0: authorize response_type order matters
> ------------------------------------------------
>
> Key: CXF-8414
> URL: https://issues.apache.org/jira/browse/CXF-8414
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 3.4.2
> Reporter: Will Croteau
> Priority: Major
> Labels: OIDC
>
> Per the OAuth2 Specification:
> If a response type contains one or more space characters (%x20), it
> is compared as a space-delimited list of values in which the order of
> values does not matter. Only one order of values can be registered,
> which covers all other arrangements of the same set of values.
> For example, the response type "token code" is left undefined by this
> specification. However, an extension can define and register the
> "token code" response type. Once registered, the same combination
> cannot be registered as "code token", but both values can be used to
> denote the same response type.
> OidcImplicitService and OidcHybridService both support multiple response
> types, but require specific ordering. This is a violation of the OAuth2
> specification.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)